shopify-app-js 0.0.1-security → 1.0.1

package/packages/shopify-app-express/src/middlewares/__tests__/csp-headers.test.ts

@@ -0,0 +1,69 @@
+import request from 'supertest';
+import express from 'express';
+import {Session} from '@shopify/shopify-api';
+
+import {shopify, SHOPIFY_HOST, TEST_SHOP} from '../../__tests__/test-helper';
+// import {ShopifyApp, shopifyApp} from '../../index';
+
+const TESTS: {
+  isEmbeddedApp: boolean;
+  expectedCSP: string;
+  shop: any;
+}[] = [];
+
+[true, false].forEach((isEmbeddedApp) => {
+  [TEST_SHOP, 12345, undefined].forEach((shop) => {
+    let expectedCSP = `frame-ancestors 'none';`;
+    if (isEmbeddedApp && typeof shop === 'string') {
+      expectedCSP = `frame-ancestors https://${shop} https://admin.shopify.com https://*.spin.dev;`;
+    }
+    TESTS.push({shop, isEmbeddedApp, expectedCSP});
+  });
+});
+
+describe('cspHeaders', () => {
+  let session: Session;
+  let app: express.Express;
+  const htmlPage =
+    '<html><head></head><body><h1>Hello, World!</h1></body></html>';
+
+  beforeEach(async () => {
+    app = express();
+    app.use('/*', shopify.cspHeaders());
+    app.get('/', async (_req, res) => {
+      res.send(htmlPage);
+    });
+
+    session = new Session({
+      id: '123-this-is-a-session-id',
+      shop: TEST_SHOP,
+      state: '123-this-is-a-state',
+      isOnline: shopify.config.useOnlineTokens,
+      scope: shopify.api.config.scopes.toString(),
+      expires: undefined,
+      accessToken: 'totally-real-access-token',
+    });
+  });
+
+  TESTS.forEach((config) => {
+    it(`sets correct CSP header for ${JSON.stringify(config)}`, async () => {
+      shopify.api.config.isEmbeddedApp = config.isEmbeddedApp;
+
+      await shopify.config.sessionStorage.storeSession(session);
+
+      const encodedHost = Buffer.from(SHOPIFY_HOST, 'utf-8').toString('base64');
+      let shopParam = '';
+      if (config.shop) {
+        shopParam = `shop=${config.shop}`;
+      }
+      const response = await request(app)
+        .get(`/?${shopParam}&host=${encodedHost}&embedded=1`)
+        .expect(200);
+
+      expect(response.text).toEqual(htmlPage);
+      expect(response.headers['content-security-policy']).toEqual(
+        config.expectedCSP,
+      );
+    });
+  });
+});

package/packages/shopify-app-express/src/middlewares/__tests__/ensure-installed-on-shop.test.ts

@@ -0,0 +1,193 @@
+import request from 'supertest';
+import express, {Express} from 'express';
+import {LATEST_API_VERSION, LogSeverity, Session} from '@shopify/shopify-api';
+
+import {
+  createTestHmac,
+  mockShopifyResponse,
+  shopify,
+  SHOPIFY_HOST,
+  TEST_SHOP,
+} from '../../__tests__/test-helper';
+
+describe('ensureInstalledOnShop', () => {
+  let app: Express;
+  let session: Session;
+
+  beforeEach(async () => {
+    app = express();
+    app.use('/test/*', shopify.ensureInstalledOnShop());
+    app.get('/test/shop', async (req, res) => {
+      res.json({data: {shop: {name: req.query.shop}}});
+    });
+    session = new Session({
+      id: `offline_${TEST_SHOP}`,
+      shop: TEST_SHOP,
+      state: '123-this-is-a-state',
+      isOnline: false,
+      scope: shopify.api.config.scopes.toString(),
+      expires: undefined,
+      accessToken: 'totally-real-access-token',
+    });
+  });
+
+  it('proceeds to process request if embedded app is installed', async () => {
+    mockShopifyResponse({data: {shop: {name: TEST_SHOP}}});
+
+    await shopify.config.sessionStorage.storeSession(session);
+
+    const encodedHost = Buffer.from(SHOPIFY_HOST, 'utf-8').toString('base64');
+    const response = await request(app)
+      .get(`/test/shop?shop=${TEST_SHOP}&host=${encodedHost}&embedded=1`)
+      .expect(200);
+
+    expect(response.body).toEqual({
+      data: {
+        shop: {
+          name: TEST_SHOP,
+        },
+      },
+    });
+    expect(response.headers['content-security-policy']).toEqual(
+      `frame-ancestors https://${TEST_SHOP} https://admin.shopify.com https://*.spin.dev;`,
+    );
+  });
+
+  it('returns 400 if no shop provided', async () => {
+    await request(app).get(`/test/shop`).expect(400);
+  });
+
+  it('returns 422 if invalid shop provided', async () => {
+    await request(app).get(`/test/shop?shop=invalid-shop`).expect(422);
+  });
+
+  it('returns 400 if no host provided', async () => {
+    mockShopifyResponse({data: {shop: {name: TEST_SHOP}}});
+    await shopify.config.sessionStorage.storeSession(session);
+
+    await request(app).get(`/test/shop?shop=${TEST_SHOP}`).expect(400);
+  });
+
+  it('redirects to auth via exit iFrame if shop NOT installed', async () => {
+    const encodedHost = Buffer.from(SHOPIFY_HOST, 'utf-8').toString('base64');
+    const response = await request(app)
+      .get(`/test/shop?shop=${TEST_SHOP}&host=${encodedHost}&embedded=1`)
+      .expect(302);
+
+    const expectedRedirectUriStart = new URL(
+      shopify.config.auth.path,
+      `${shopify.api.config.hostScheme}://${shopify.api.config.hostName}`,
+    );
+    const location = new URL(response.header.location, 'https://example.com');
+    const locationParams = location.searchParams;
+
+    expect(location.pathname).toBe(shopify.config.exitIframePath);
+    expect(locationParams.get('shop')).toBe(TEST_SHOP);
+    expect(locationParams.get('host')).toBe(encodedHost);
+    expect(locationParams.get('redirectUri')).toEqual(
+      expect.stringMatching(expectedRedirectUriStart.href),
+    );
+  });
+
+  it('redirects to auth if not installed and not embedded', async () => {
+    mockShopifyResponse({data: {shop: {name: TEST_SHOP}}});
+
+    await shopify.config.sessionStorage.storeSession(session);
+
+    const missingShop = 'some-other-shop.myshopify.io';
+    const encodedHost = Buffer.from(SHOPIFY_HOST, 'utf-8').toString('base64');
+    const response = await request(app)
+      .get(`/test/shop?shop=${missingShop}&host=${encodedHost}`)
+      .expect(302);
+
+    const location = new URL(response.header.location);
+
+    expect(location.host).toBe(missingShop);
+    expect(location.pathname).toBe('/admin/oauth/authorize');
+  });
+
+  it('redirects to auth if installed and not embedded, but token is invalid', async () => {
+    mockShopifyResponse({errors: 'Invalid token'}, {status: 401});
+
+    await shopify.config.sessionStorage.storeSession(session);
+
+    const encodedHost = Buffer.from(SHOPIFY_HOST, 'utf-8').toString('base64');
+    const response = await request(app)
+      .get(`/test/shop?shop=${TEST_SHOP}&host=${encodedHost}`)
+      .expect(302);
+
+    const location = new URL(response.header.location);
+
+    expect(location.host).toBe(TEST_SHOP);
+    expect(location.pathname).toBe('/admin/oauth/authorize');
+  });
+
+  it('does NOT redirect to auth if shop NOT installed AND url is exit iFrame path', async () => {
+    const encodedHost = Buffer.from(SHOPIFY_HOST, 'utf-8').toString('base64');
+    app.use('/exitiframe', shopify.ensureInstalledOnShop());
+    app.get('/exitiframe', async (_req, res) => {
+      res.send('exit iFrame');
+    });
+
+    await request(app)
+      .get(`/exitiframe?shop=${TEST_SHOP}&host=${encodedHost}&embedded=1`)
+      .expect(200);
+  });
+
+  it('redirects to embedded URL if shop is installed AND url is exit iFrame path AND embedded param missing', async () => {
+    mockShopifyResponse({data: {shop: {name: TEST_SHOP}}});
+
+    await shopify.config.sessionStorage.storeSession(session);
+
+    const encodedHost = Buffer.from(SHOPIFY_HOST, 'utf-8').toString('base64');
+    app.use('/exitiframe', shopify.ensureInstalledOnShop());
+    app.get('/exitiframe', async (_req, res) => {
+      res.send('exit iFrame');
+    });
+
+    const response = await request(app)
+      .get(`/exitiframe?shop=${TEST_SHOP}&host=${encodedHost}`)
+      .expect(302);
+
+    const location = new URL(response.header.location, 'https://example.com');
+
+    expect(location.hostname).toBe(SHOPIFY_HOST);
+    expect(location.pathname).toEqual(
+      expect.stringContaining(`apps/${shopify.api.config.apiKey}`),
+    );
+  });
+
+  it('calls validateAuthenticatedSession for non-embedded apps with a log', async () => {
+    shopify.api.config.isEmbeddedApp = false;
+    const validCookies = [
+      `shopify_app_session=${session.id}`,
+      `shopify_app_session.sig=${createTestHmac(
+        shopify.api.config.apiSecretKey,
+        session.id,
+      )}`,
+    ];
+
+    mockShopifyResponse({
+      data: {},
+      extensions: {},
+    });
+    await shopify.config.sessionStorage.storeSession(session);
+
+    await request(app)
+      .get(`/test/shop`)
+      .set('Cookie', validCookies)
+      .expect(200);
+
+    expect({
+      method: 'POST',
+      url: `https://test-shop.myshopify.io/admin/api/${LATEST_API_VERSION}/graphql.json`,
+    }).toMatchMadeHttpRequest();
+
+    expect(shopify.api.config.logger.log).toHaveBeenCalledWith(
+      LogSeverity.Warning,
+      expect.stringContaining(
+        'ensureInstalledOnShop() should only be used in embedded apps; calling validateAuthenticatedSession() instead',
+      ),
+    );
+  });
+});

package/packages/shopify-app-express/src/middlewares/__tests__/redirect-to-shopify-or-app-root.test.ts

@@ -0,0 +1,59 @@
+import {Session} from '@shopify/shopify-api';
+import express from 'express';
+import request from 'supertest';
+
+import {redirectToShopifyOrAppRoot} from '../redirect-to-shopify-or-app-root';
+import {
+  BASE64_HOST,
+  shopify,
+  SHOPIFY_HOST,
+  TEST_SHOP,
+} from '../../__tests__/test-helper';
+
+describe('redirectToShopifyOrAppRoot', () => {
+  const session = new Session({
+    id: 'session-id',
+    accessToken: 'access-token',
+    shop: TEST_SHOP,
+    isOnline: false,
+    state: '1234',
+  });
+
+  let app: express.Express;
+  beforeEach(() => {
+    app = express();
+    app.get(
+      '/redirect-to-host',
+      // Make sure the session is available
+      (req, res, next) => {
+        res.locals.shopify = {session};
+        next();
+      },
+      redirectToShopifyOrAppRoot({api: shopify.api, config: shopify.config})(),
+    );
+  });
+
+  it('redirects to Shopify when embedded', async () => {
+    const host = BASE64_HOST;
+    const response = await request(app)
+      .get(`/redirect-to-host?host=${host}&embedded=1`)
+      .expect(302);
+
+    const url = new URL(response.header.location);
+    expect(url.host).toBe(SHOPIFY_HOST);
+    expect(url.pathname).toBe(`/apps/${shopify.api.config.apiKey}`);
+  });
+
+  it('redirects to app when not embedded', async () => {
+    shopify.api.config.isEmbeddedApp = false;
+
+    const host = BASE64_HOST;
+    const response = await request(app)
+      .get(`/redirect-to-host?host=${host}&embedded=1`)
+      .expect(302);
+
+    expect(response.header.location).toBe(
+      `/?shop=${TEST_SHOP}&host=${encodeURIComponent(host)}`,
+    );
+  });
+});

package/packages/shopify-app-express/src/middlewares/__tests__/validate-authenticated-session.test.ts

@@ -0,0 +1,319 @@
+import request from 'supertest';
+import express, {Express} from 'express';
+import {LATEST_API_VERSION, Session} from '@shopify/shopify-api';
+import jwt from 'jsonwebtoken';
+
+import {
+  createTestHmac,
+  mockShopifyResponse,
+  shopify,
+  SHOPIFY_HOST,
+} from '../../__tests__/test-helper';
+
+describe('validateAuthenticatedSession', () => {
+  let app: Express;
+  let session: Session;
+  const shop = 'my-shop.myshopify.io';
+  const sessionId = `offline_${shop}`;
+
+  describe('for embedded apps', () => {
+    let validJWT: any;
+
+    beforeEach(() => {
+      shopify.config.auth.path = '/api/auth';
+      shopify.config.auth.callbackPath = '/api/auth/callback';
+      shopify.api.config.isEmbeddedApp = true;
+
+      app = express();
+      // Use a short timeout since everything here should be pretty quick. If you see a `socket hang up` error,
+      // it's probably because the timeout is too short.
+      app.use('*', (_req, res, next) => {
+        res.setTimeout(100);
+        next();
+      });
+      app.use('/test/*', shopify.validateAuthenticatedSession());
+      app.get('/test/shop', async (req, res) => {
+        res.json({data: {shop: {name: req.query.shop}}});
+      });
+
+      validJWT = jwt.sign(
+        {
+          dummy: 'data',
+          aud: shopify.api.config.apiKey,
+          dest: `https://${shop}`,
+        },
+        shopify.api.config.apiSecretKey,
+        {
+          algorithm: 'HS256',
+        },
+      );
+
+      session = new Session({
+        id: sessionId,
+        shop,
+        state: '123-this-is-a-state',
+        isOnline: shopify.config.useOnlineTokens,
+        scope: shopify.api.config.scopes.toString(),
+        expires: undefined,
+        accessToken: 'totally-real-access-token',
+      });
+      shopify.config.sessionStorage.storeSession(session);
+    });
+
+    it('active and valid session does not redirect', async () => {
+      mockShopifyResponse({data: {shop: {name: shop}}});
+
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set('Authorization', `Bearer ${validJWT}`)
+        .expect(200);
+
+      expect(response.body).toEqual({
+        data: {
+          shop: {
+            name: shop,
+          },
+        },
+      });
+    });
+
+    it('inactive session with auth header returns 403 with correct headers', async () => {
+      session.expires = new Date('2020-12-31T00:00:00');
+
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set({Authorization: `Bearer ${validJWT}`})
+        .expect(403);
+
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize'],
+      ).toBe('1');
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize-url'],
+      ).toBe(`/api/auth?shop=my-shop.myshopify.io`);
+    });
+
+    it('no session, with auth header returns 403 with correct headers', async () => {
+      jest
+        .spyOn(shopify.api.session, 'getCurrentId')
+        .mockResolvedValueOnce(undefined);
+
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set({Authorization: `Bearer ${validJWT}`})
+        .expect(403);
+
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize'],
+      ).toBe('1');
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize-url'],
+      ).toBe(`/api/auth?shop=my-shop.myshopify.io`);
+    });
+
+    it('no session, no shop param, with auth header, returns 403 with correct headers', async () => {
+      jest
+        .spyOn(shopify.api.session, 'getCurrentId')
+        .mockResolvedValueOnce(undefined);
+
+      const response = await request(app)
+        .get('/test/shop')
+        .set({Authorization: `Bearer ${validJWT}`})
+        .expect(403);
+
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize'],
+      ).toBe('1');
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize-url'],
+      ).toBe(`/api/auth?shop=my-shop.myshopify.io`);
+    });
+
+    it('no session, without auth header redirects to auth', async () => {
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .expect(302);
+
+      expect(response.header.location).toBe(
+        `/api/auth?shop=my-shop.myshopify.io`,
+      );
+    });
+
+    it('redirect to exit iFrame if different shop, embedded param set to 1', async () => {
+      const encodedHost = Buffer.from(SHOPIFY_HOST, 'utf-8').toString('base64');
+      const response = await request(app)
+        .get(
+          `/test/shop?shop=other-shop.myshopify.io&host=${encodedHost}&embedded=1`,
+        )
+        .expect(302);
+
+      const location = new URL(response.header.location, 'https://example.com');
+      const locationParams = location.searchParams;
+
+      expect(location.pathname).toBe(shopify.config.exitIframePath);
+      expect(locationParams.get('shop')).toBe('other-shop.myshopify.io');
+      expect(locationParams.get('host')).toBe(encodedHost);
+      expect(locationParams.get('redirectUri')).toEqual(
+        expect.stringMatching(shopify.config.auth.path),
+      );
+    });
+
+    it('redirects to auth if different shop, no embedded param', async () => {
+      const response = await request(app)
+        .get('/test/shop?shop=other-shop.myshopify.io')
+        .set('Authorization', `Bearer ${validJWT}`)
+        .expect(302);
+
+      const expectedRedirectUriStart = new URL(
+        shopify.config.auth.callbackPath,
+        `${shopify.api.config.hostScheme}://${shopify.api.config.hostName}`,
+      );
+      const location = new URL(response.header.location);
+      const locationParams = location.searchParams;
+
+      expect(location.hostname).toBe('other-shop.myshopify.io');
+      expect(location.pathname).toBe('/admin/oauth/authorize');
+      expect(locationParams.get('client_id')).toBe(shopify.api.config.apiKey);
+      expect(locationParams.get('scope')).toBe(
+        shopify.api.config.scopes.toString(),
+      );
+      expect(locationParams.get('redirect_uri')).toEqual(
+        expect.stringMatching(expectedRedirectUriStart.href),
+      );
+    });
+
+    it('session found, shops match, scopes differ, with auth header', async () => {
+      session.scope = 'read_products,read_draft_orders';
+
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set({Authorization: `Bearer ${validJWT}`})
+        .expect(403);
+
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize'],
+      ).toBe('1');
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize-url'],
+      ).toBe(`/api/auth?shop=my-shop.myshopify.io`);
+    });
+
+    it('returns a 401 if the session token is invalid', async () => {
+      const invalidJWT = jwt.sign(
+        {
+          dummy: 'data',
+          aud: shopify.api.config.apiKey,
+          dest: `https://${shop}`,
+        },
+        'different-secret-key',
+        {algorithm: 'HS256'},
+      );
+
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set({Authorization: `Bearer ${invalidJWT}`})
+        .expect(401);
+
+      expect((response.error as any).text).toMatch(
+        'Failed to parse session token',
+      );
+    });
+
+    it('returns a 500 if the storage throws an error', async () => {
+      jest
+        .spyOn(shopify.config.sessionStorage, 'loadSession')
+        .mockRejectedValueOnce(new Error('Storage error'));
+
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set({Authorization: `Bearer ${validJWT}`})
+        .expect(500);
+
+      expect((response.error as any).text).toBe('Storage error');
+    });
+  });
+
+  describe('for non-embedded apps', () => {
+    let validCookies: string[];
+
+    beforeEach(() => {
+      shopify.api.config.isEmbeddedApp = false;
+
+      app = express();
+      app.use('/test/*', shopify.validateAuthenticatedSession());
+      app.get('/test/shop', async (req, res) => {
+        res.json({data: {shop: {name: req.query.shop}}});
+      });
+
+      validCookies = [
+        `shopify_app_session=${sessionId}`,
+        `shopify_app_session.sig=${createTestHmac(
+          shopify.api.config.apiSecretKey,
+          sessionId,
+        )}`,
+      ];
+
+      session = new Session({
+        id: sessionId,
+        shop: 'my-shop.myshopify.io',
+        state: '123-this-is-a-state',
+        isOnline: shopify.config.useOnlineTokens,
+        scope: shopify.api.config.scopes.toString(),
+        expires: undefined,
+        accessToken: 'totally-real-access-token',
+      });
+      shopify.config.sessionStorage.storeSession(session);
+    });
+
+    it('finds a session with the right cookie', async () => {
+      mockShopifyResponse({
+        data: {},
+        extensions: {},
+      });
+
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set('Cookie', validCookies)
+        .expect(200);
+
+      expect({
+        method: 'POST',
+        url: `https://my-shop.myshopify.io/admin/api/${LATEST_API_VERSION}/graphql.json`,
+      }).toMatchMadeHttpRequest();
+
+      expect(response.body).toEqual({
+        data: {
+          shop: {
+            name: 'my-shop.myshopify.io',
+          },
+        },
+      });
+    });
+
+    it('fails to find a session if there is no signature', async () => {
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set('Cookie', [validCookies[0]])
+        .expect(302);
+
+      expect(response.header.location).toBe(`/auth?shop=my-shop.myshopify.io`);
+    });
+
+    it('returns a 403 with the authentication header in XHR requests', async () => {
+      session.expires = new Date('2020-12-31T00:00:00');
+
+      const response = await request(app)
+        .get('/test/shop?shop=my-shop.myshopify.io')
+        .set('Cookie', validCookies)
+        .set('X-Requested-With', 'XMLHttpRequest')
+        .expect(403);
+
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize'],
+      ).toBe('1');
+      expect(
+        response.headers['x-shopify-api-request-failure-reauthorize-url'],
+      ).toBe(`${shopify.config.auth.path}?shop=my-shop.myshopify.io`);
+    });
+  });
+});

package/packages/shopify-app-express/src/middlewares/csp-headers.ts

@@ -0,0 +1,31 @@
+import {Request, Response, NextFunction} from 'express';
+import {Shopify} from '@shopify/shopify-api';
+
+import {CspHeadersMiddleware} from './types';
+
+interface CspHeadersParams {
+  api: Shopify;
+}
+
+export function cspHeaders({api}: CspHeadersParams): CspHeadersMiddleware {
+  return function cspHeaders() {
+    return async (req: Request, res: Response, next: NextFunction) => {
+      addCSPHeader(api, req, res);
+      next();
+    };
+  };
+}
+
+export function addCSPHeader(api: Shopify, req: Request, res: Response) {
+  const shop = api.utils.sanitizeShop(req.query.shop as string);
+  if (api.config.isEmbeddedApp && shop) {
+    res.setHeader(
+      'Content-Security-Policy',
+      `frame-ancestors https://${encodeURIComponent(
+        shop,
+      )} https://admin.shopify.com https://*.spin.dev;`,
+    );
+  } else {
+    res.setHeader('Content-Security-Policy', `frame-ancestors 'none';`);
+  }
+}